Implement DNS-over-TLS capability in Pi-hole

Yes and No.

Yes: The DNS server in FTL is based on dnsmasq and, as such, is a DNS proxy that can either reply from its internal cache or has to forward the request to somewhere else. In the case of DoT, pihole-FTL forwards the requests to a local proxy which itself forwards it to Cloudflare using an encrypted connection.

There are several complications when it comes to implementing this into pihole-FTL: There are different flavors of encrypted DNS traffic: DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), dnscrypt and a few more. Implementing them would be a major task and nobody can ensure that it is bug-free*. Furthermore, all the different providers have a (slightly) different take on the standards and specifications such that an implementation often cannot be generic enough to cover all use cases.

*) While this is always true, it is a special problem when it comes to cryptography as even tiny implementation bugs can make the encryption itself vulnerable.

The current solution of having various specialized agents to talk to their respective providers.
IMHO this is the - by far - best approach as the providers themselves know their own specs best. Moreover, many small projects are much easier to be maintained than a monolithic pihole-FTL binary that tries to do everything.

No: We fully support DoT inside Pi-hole. You just need to realize it using a local proxy of your preferred DNS provider. See the "Yes" reply for further details.

3 Likes

It has been a while, but wanted to let you all know that I have added Cloudflare DoH (cloudflared) to my setup. It is fully explained in my Github repo here and the automated updates of it here.

1 Like

Can't this be merge in pihole as an out of the box available feature?
I can't believe how something like this is out of the scope.
DoH protects the privacy and it looks like Pi-hole is not concerned about the privacy of their users.

Yeah, that's it exactly.

Do you want DoH or DoT or dnscrypt. Should we use stubby or cloudflared? I'd think that a user concerned with privacy would want to use their preferred technology instead of one that is determined by the developers.

well if you would care about privacy you would have implemented a DNS Resolver to call root servers directly over a encrypted channel.

Not all the users that use pihole know how to install different "hacks" to make it work. Pi-hole has a huge public because is has a nice interface where you can configure many things.
https://doh.defaultroutes.de/implementations.html
Choose whatever you think fits better but make it easy so everyone can enjoy the benefits.

We do care about privacy and security, neither of which can be done with a shortcut or handholding. That's where you get in to dangerous territory of having someone else do it for you and giving control of your security and privacy to other parties. That is never a good thing.

The point still stands, you may have an encrypted response for your DNS to IP but visiting that IP over a bare, unencrypted connection just exposed all the information that you had hidden.

Dont you visit the IP over a https?
So DoH or DoT aren't better that nothing in any way considering security or privacy?

What about a DNS resolver? so you don't relay in an intermediate DNS server like cloudflare?

@DanSchaper
Your direct competitor already supports it

It can be that hard.

They aren't our direct competitor.

IP over https doesn't do anything to hide where you are going, which is what DNS is. It tells you where to go. TLS just protects the payload from that IP. Your ISP knows that you went to Amazon, but they don't know what you bought.

I know some people that have moved to adguard home.
But you are right this https://www.nextdns.io/ will probably end up eating most of your users, and it supports DoH.

I don't think so. nextdns is just an external service like Quad9, Cloudflare or Google. For me there is no difference between them, and also no advantage to use them.

Regarding privacy and performance for me the best solution is Pi-hole + local Unbound.

1 Like

There are quite a few features and advantages that nextdns.io has and pihole doesn't.
People is quite excited with it in social media let's see how it evolves, is something that fits to any user since it doesn't require hardware or any expertise like pihole.

I agree with you that the best would be to call directly the root servers with unbound but again is another feature that pihole doesn't support out of the box

How do they solve the privacy issue? Do you VPN all your traffic through them, or do they just obfuscate the DNS transaction and still leave you completely trackable and identifiable through your ISP and every server that handles your packets from your local workstation to the end server? (Hint, run a traceroute to the server your visiting sometime and look at every single router that knows where you're going...)

Edit: And all the other "competitors" you've mentioned do nothing for privacy, they get all the data you're trying to hide. And they require you to pay them for the experience. So shill them all you want, I'm not worried.

Which of the root servers support encrypted DNS queries?

You have to connect to the IP before the encryption begins. So, after the browser has the IP address for the domain it seeks, it requests that IP address in clear text from the ISP. After a connection is made to that IP, then the TLS handshake process begins and the encrypted connection is created.

DoH and DoT do nothing to increase your privacy (your ISP can see your IP requests, and a third party DNS service has your entire DNS history), but they do have the benefit of security, in that the DNS travels in an encrypted tunnel with protection from third parties modifying it. But, if you use DNSSEC you get the same security benefits.

Now DoH is standardized RFC8484. Major browsers firefox and chromium (chrome, opera, edge, brave, etc.) will add DoH with the next version (ETA end of October).

A browser/application requests a DNS lookup from Pi-Hole, if it is on the block list it does not do anything with the request, if it is not on the blocklist, it forwards the request or responds from the cache. When it forwards the request Pi-Hole could forward that request, outside of your LAN, via DoH. I do exactly this by running the cloudflard daemon on the Pi-Hole machine so Pi-Hole forwards to that DNS service which forwards it over DoH.

The feature request is for the use of a DoH DNS service to be a builtin option within Pi-Hole.

If the Browser concerned is set to do DNS lookup over DoH (this is usually using a specific service), the the Pi-Hole will be bypassed. Effectively the application is deciding what DNS server to use and is not getting that info from the Network.